[PATCH] gnu: expat: Update via graft.

  • Done
  • quality assurance status badge
Details
5 participants
  • Leo Prikler
  • Leo Famulari
  • Ludovic Courtès
  • Marius Bakke
  • Maxime Devos
Owner
unassigned
Submitted by
Leo Prikler
Severity
normal
L
L
Leo Prikler wrote on 9 May 2021 01:27
(address . guix-patches@gnu.org)(address . sebastian@pipping.org)
20210508232729.11557-1-leo.prikler@student.tugraz.at
* gnu/packages/xml.scm (expat-2.3.0): New variable.
(expat)[replacement]: Add it.
---
gnu/packages/xml.scm | 18 ++++++++++++++++++
1 file changed, 18 insertions(+)

Toggle diff (38 lines)
diff --git a/gnu/packages/xml.scm b/gnu/packages/xml.scm
index 931698a575..d8472f5fa3 100644
--- a/gnu/packages/xml.scm
+++ b/gnu/packages/xml.scm
@@ -120,6 +120,7 @@ the entire document.")
(package
(name "expat")
(version "2.2.9")
+ (replacement expat-2.3.0)
(source (let ((dot->underscore (lambda (c) (if (char=? #\. c) #\_ c))))
(origin
(method url-fetch)
@@ -143,6 +144,23 @@ stream-oriented parser in which an application registers handlers for
things the parser might find in the XML document (like start tags).")
(license license:expat)))
+(define-public expat-2.3.0
+ (package
+ (inherit expat)
+ (version "2.3.0")
+ (source (let ((dot->underscore (lambda (c) (if (char=? #\. c) #\_ c))))
+ (origin
+ (method url-fetch)
+ (uri (list (string-append "mirror://sourceforge/expat/expat/"
+ version "/expat-" version ".tar.xz")
+ (string-append
+ "https://github.com/libexpat/libexpat/releases/download/R_"
+ (string-map dot->underscore version)
+ "/expat-" version ".tar.xz")))
+ (sha256
+ (base32
+ "1ab7fkab4wbj53xqsx2a4h5m310ak9abczjh0a2ymg73nsclz8ya")))))))
+
(define-public libebml
(package
(name "libebml")
--
2.31.1
L
L
Leo Famulari wrote on 9 May 2021 16:05
(name . Leo Prikler)(address . leo.prikler@student.tugraz.at)(address . 48304@debbugs.gnu.org)
YJfsLgjGmIf2b8VS@jasmine.lan
On Sun, May 09, 2021 at 01:27:29AM +0200, Leo Prikler wrote:
Toggle quote (3 lines)
> * gnu/packages/xml.scm (expat-2.3.0): New variable.
> (expat)[replacement]: Add it.

Nitpick: It should be

(expat)[replacement]: New field.

Otherwise, looks okay assuming ABI compatibility, but we only use grafts
for security updates.
M
M
Maxime Devos wrote on 9 May 2021 16:27
(address . 48304@debbugs.gnu.org)
829778414d37d154393f014d52c17e58b72aa1ac.camel@telenet.be
Leo Famulari schreef op zo 09-05-2021 om 10:05 [-0400]:
Toggle quote (11 lines)
> On Sun, May 09, 2021 at 01:27:29AM +0200, Leo Prikler wrote:
> > * gnu/packages/xml.scm (expat-2.3.0): New variable.
> > (expat)[replacement]: Add it.
>
> Nitpick: It should be
>
> (expat)[replacement]: New field.
>
> Otherwise, looks okay assuming ABI compatibility, but we only use grafts
> for security updates.

The maintainer of expat will release a 2.4.0 with security fixes soon.

Greetings,
Maxime.
-----BEGIN PGP SIGNATURE-----

iI0EABYKADUWIQTB8z7iDFKP233XAR9J4+4iGRcl7gUCYJfxSBccbWF4aW1lZGV2
b3NAdGVsZW5ldC5iZQAKCRBJ4+4iGRcl7t5cAP4jLEoCF/w0AWqKOFcL19cxENdb
9h3dyFlRQwsz4ppUYAD/cafSwJHIUA5MEB8RBfY/l1jMyislJMVUNYWwRlFc5QI=
=j72h
-----END PGP SIGNATURE-----


L
L
Leo Famulari wrote on 9 May 2021 16:32
(name . Maxime Devos)(address . maximedevos@telenet.be)
YJfyktlty0F6W2BC@jasmine.lan
On Sun, May 09, 2021 at 04:27:20PM +0200, Maxime Devos wrote:
Toggle quote (14 lines)
> Leo Famulari schreef op zo 09-05-2021 om 10:05 [-0400]:
> > On Sun, May 09, 2021 at 01:27:29AM +0200, Leo Prikler wrote:
> > > * gnu/packages/xml.scm (expat-2.3.0): New variable.
> > > (expat)[replacement]: Add it.
> >
> > Nitpick: It should be
> >
> > (expat)[replacement]: New field.
> >
> > Otherwise, looks okay assuming ABI compatibility, but we only use grafts
> > for security updates.
>
> The maintainer of expat will release a 2.4.0 with security fixes soon.

Yes, I know :) I think we all received the same private email.

We can test the graft with 2.3.0 but wait until 2.4.0 to actually use
it.
-----BEGIN PGP SIGNATURE-----

iQIzBAABCAAdFiEEsFFZSPHn08G5gDigJkb6MLrKfwgFAmCX8pIACgkQJkb6MLrK
fwigKBAA8VcYfpllG7WDqiYjKCbCTXcIoeXpT2YkSO1Fhsc7UZHQTCgat31Th2bd
tuz9fH9T9yBMl77x3c1I4DOBh1mAWUNQYNGUWrWQY1Wl3JSLbdzgxtjtJcQCREdw
0NeTSFhtIePc+c0V7g/Fuj3xGpZs39mDcwlo/7IyP6q7Z60hvLG19QHv52yPJtqV
NS+h8f3FtSheVB530MyIp0MvoYT8GEycPppZAFS2isYsOHLHsfVqdKr42TJolrbH
PEpoBMO+j1NQkpeR943gSCXGtiDA6rdve7QDJl0/m0pt5VAUrJtoTKnSKg0qtH0U
yjSznnJjz1f1p/PMK7CfRclGJsE0nJMWzKgV6c+FflRqzHG2Z/ETst6ub1gxkOgI
DdyPPfGNci31CQg/ITX45mqA28TKRmLq9s48BsaCPz3N79OsMMj4kxX+LsiyRrrm
0hQN5lgK77mJrasOE3bmESSA0S8JigRjYvxIKkTtiezYj4SjAAXfWQaLP+UTPNkm
i4RroaPbaXdYfoktTKZPtSUnoAFbZPuXI8q59hvCgbS/woZtoTOpAjch2jAekSw1
wP6+HfBpaBfjkhlMo4dgu615D0G3NLvo/yJqYEPCTDplW4nxrf+fzcatBH4Bc3Bs
GRFNLUKAEs/BNTgwnhWr/bNFObG5RJpGlrUT1xWNHk/T10b0Q8I=
=3W4z
-----END PGP SIGNATURE-----


L
L
Leo Prikler wrote on 9 May 2021 16:37
(address . 48304@debbugs.gnu.org)
276aa14b795b9046b326e5bc0235049a5710c765.camel@student.tugraz.at
Am Sonntag, den 09.05.2021, 16:27 +0200 schrieb Maxime Devos:
Toggle quote (18 lines)
> Leo Famulari schreef op zo 09-05-2021 om 10:05 [-0400]:
> > On Sun, May 09, 2021 at 01:27:29AM +0200, Leo Prikler wrote:
> > > * gnu/packages/xml.scm (expat-2.3.0): New variable.
> > > (expat)[replacement]: Add it.
> >
> > Nitpick: It should be
> >
> > (expat)[replacement]: New field.
> >
> > Otherwise, looks okay assuming ABI compatibility, but we only use
> > grafts
> > for security updates.
>
> The maintainer of expat will release a 2.4.0 with security fixes
> soon.
>
> Greetings,
> Maxime.
Indeed, the mail they dropped over at guix-devel made it seem as though
not being on 2.3.0 was a security risk already. The ChangeLog does
mention some items worth fuzzing over.

That said, I simply wanted to claim a bug ID for this and let people
check whether the update really breaks nothing. The list of dependants
is far too big for me to handle.

Regards,
Leo
L
L
Leo Famulari wrote on 9 May 2021 17:22
(name . Leo Prikler)(address . leo.prikler@student.tugraz.at)
YJf+TnQ+DenU++Mx@jasmine.lan
On Sun, May 09, 2021 at 04:37:39PM +0200, Leo Prikler wrote:
Toggle quote (4 lines)
> Indeed, the mail they dropped over at guix-devel made it seem as though
> not being on 2.3.0 was a security risk already. The ChangeLog does
> mention some items worth fuzzing over.

In general, all updates are security updates. But we shouldn't / can't
update all core packages with grafts just because. Grafting is a kludge
that doesn't always work as expected (and the problems are hidden), and
it has a high I/O performance cost.

So, let's wait for a security advisory.
L
L
Ludovic Courtès wrote on 15 May 2021 12:12
control message for bug #48304
(address . control@debbugs.gnu.org)
87cztsl301.fsf@gnu.org
tags 48304 + security
quit
M
M
Marius Bakke wrote on 23 May 2021 17:33
Re: [bug#48304] [PATCH] gnu: expat: Update via graft.
871r9xqxce.fsf@gnu.org
merge 48304 48612
thanks

Leo Famulari <leo@famulari.name> skriver:

Toggle quote (12 lines)
> On Sun, May 09, 2021 at 04:37:39PM +0200, Leo Prikler wrote:
>> Indeed, the mail they dropped over at guix-devel made it seem as though
>> not being on 2.3.0 was a security risk already. The ChangeLog does
>> mention some items worth fuzzing over.
>
> In general, all updates are security updates. But we shouldn't / can't
> update all core packages with grafts just because. Grafting is a kludge
> that doesn't always work as expected (and the problems are hidden), and
> it has a high I/O performance cost.
>
> So, let's wait for a security advisory.

I opened a similar discussion about the security fix in Expat 2.4.0
recently and am merging with this issue (which I had not seen):

-----BEGIN PGP SIGNATURE-----

iIUEARYKAC0WIQRNTknu3zbaMQ2ddzTocYulkRQQdwUCYKp1sQ8cbWFyaXVzQGdu
dS5vcmcACgkQ6HGLpZEUEHe8oAD/e+0e6g1Wvp+wcZ9dDv1CMtr0CIDekMTfBBou
PsAScIMA/2vmC+4Bw9wGrZ7z52fr+kjvNvIFGCTkvSYBaVvOXmoC
=dihy
-----END PGP SIGNATURE-----

L
L
Leo Famulari wrote on 3 Jun 2021 05:17
(name . Marius Bakke)(address . marius@gnu.org)
YLhJ1Dee1in8cDN7@jasmine.lan
On Sun, May 23, 2021 at 05:33:05PM +0200, Marius Bakke wrote:
Toggle quote (2 lines)
> merge 48304 48612

The merge didn't work (one bug was for 'guix', and one for
'guix-patches'), but I pushed a graft as
6d71f6a73cd27d61d3302b9658893428af6314d2
-----BEGIN PGP SIGNATURE-----

iQIzBAABCAAdFiEEsFFZSPHn08G5gDigJkb6MLrKfwgFAmC4SdQACgkQJkb6MLrK
fwizLBAAwqKDw/uFawB3km99bSTNzP0eCPB0+dPJ733qu3Nh6e6sk7VVRJ5514Ie
V6yT9x+/51EsaPVcd0kgYpM53T483JuGYXnMwASR3o+PJkLayS0/S7f73IbENsFe
QqPruuRIiZAFmIJPqpMfDdBJK9aOEpGdUA16gmsHs9DIyF+2i+cseH+88w1oeOz2
ndkGFGpFQiF9gMuPKevDIbTF61GtkvP+vpWIhSeUNw7FWP1eFrLAxJliOmZbp8YM
lVdtGhKQfDZ2laJlhlzuTcGvPMJBELMSknywlFYnna7vSPzM1EIbhD/IEmUEjx6R
QX2Puw3+itknFrWNc9Wt4tI/SDHydYmEQy+6PIc8rnu7uFn2b84dC1d1MW2kzJl4
7tLMqpb2JxOa9j0g6QSnE/p9jkUwKJq9MbFBcGOYCIa2q43O6pICkx5U1X/f7A2G
5Fyctk8kTUEK8rBD3fvczi8zBVzyIErOHOxrXiXqQR/m8I/iYF8v+N2MZ5vobufz
wRF/i/aI6G7fEEuq2xbBmPcFNeNU4EaLuVyyA0W/dZVONyzxikMRsE2FIM0RmtW3
fM6V7NllT1MxbkzkRSflgL1jlWg9MAHipFuq+GMF8Xp21OQOJV5DDZQFXiCviym0
dYFUCPGbWLb5VYN5SIPVmIvE9yMjT631Nv/tN2VO5jNEa+NTmw8=
=O9C7
-----END PGP SIGNATURE-----


Closed
?
Your comment

This issue is archived.

To comment on this conversation send an email to 48304@debbugs.gnu.org

To respond to this issue using the mumi CLI, first switch to it
mumi current 48304
Then, you may apply the latest patchset in this issue (with sign off)
mumi am -- -s
Or, compose a reply to this issue
mumi compose
Or, send patches to this issue
mumi send-email *.patch